The Company Behind Zcash Announces Proposed Solution to Trusted Setup

Electric Coin Company (ECC), which launched and supports the development of privacy-coin Zcash recently published a paper called: Halo: Recursive Proof Composition without a Trusted Setup.

On Sept. 10, ECC announced in a blog post that engineer and cryptographer Sean Bowe had discovered a way of “creating practical, scalable and trustless cryptographic proving” techniques, which claims to end a 10-year-long pursuit by the cryptography communities. He called the solution Halo.

“The concept is a proof that verifies the correctness of another instance of itself, allowing any amount of computational effort and data to produce a short proof that can be checked quickly.

Sean’s discovery involves ‘nested amortization’ — repeatedly collapsing multiple instances of hard problems together over cycles of elliptic curves so that computational proofs can be used to reason about themselves efficiently, which eliminates the need for a trusted setup.”

In cryptography, a trusted setup is when a set of initial parameters are created that at a later stage will be destroyed. It is called a trusted setup because one must trust the person who created the parameters to destroy them rather than keep them for future illicit gains.

The Electrical Coin Company points out that trusted setups are difficult to coordinate, could present a systemic risk and always have to be repeated for each major protocol upgrade. According to ECC, the removal of trusted setups should present a substantial improvement in safety for upgradeable protocols.

The authors of the paper, Sean Bowe, Daira Hopwood and Jack Grigg, claimed that they obtained the first practical example of recursive proof composition without a trusted setup, using only ordinary cycles of elliptic curves. They added:

“Our primary contribution is a novel technique for amortizing away expensive verification procedures from within the proof verification cycle so that we could obtain recursion using a composition of existing protocols and techniques. We devise a technique for amortizing the cost of verifying multiple inner product arguments which may be of independent interest”